ISO-IEC-27001-Lead-Auditor PECB Certified ISO/IEC 27001 2022 Lead Auditor exam Questions and Answers

 According to ISO/IEC 27001:2022 clause 6.1, the organization must establish, implement and maintain an information security risk management process that includes the following activities:

• establishing and maintaining information security risk criteria;
• ensuring that repeated information security risk assessments produce consistent, valid and comparable results;
• identifying the information security risks;
• analyzing the information security risks;
• evaluating the information security risks;
• treating the information security risks;
• accepting the information security risks and the residual information security risks;
• communicating and consulting with stakeholders throughout the process;
• monitoring and reviewing the information security risks and the risk treatment plan.

According to control A.5.29, the organization must establish, document, implement and maintain processes, procedures and controls to ensure the required level of continuity for information security during a disruptive situation. The organization must also:

• determine its requirements for information security and the continuity of information security management in adverse situations, e.g. during a crisis or disaster;
• establish, document, implement and maintain processes, procedures and controls to ensure the required level of continuity for information security during an adverse situation;
• verify the availability of information processing facilities.

Therefore, the following options will not be in your audit trail, as they are not relevant to the information security risk management process or the information security continuity process:

• E. Collect more evidence on how the organisation makes sure all staff periodically conduct a positive Covid test (Relevant to control A.7.2). This is not relevant to the information security aspects of business continuity management, as it is related to the health and safety of the staff, not the protection of information assets. Control A.7.2 is about screening of personnel prior to employment, not during employment.
• G. Collect more evidence on how the organisation performs a business risk assessment to evaluate how fast the existing residents can be discharged from the nursing home. (Relevant to clause 6). This is not relevant to the information security aspects of business continuity management, as it is related to the operational and financial aspects of the business, not the identification and treatment of information security risks. Clause 6 is about the information security risk management process, not the business risk management process.
• H. Collect more evidence on what resources the organisation provides to support the staff working from home. (Relevant to clause 7.1). This is not relevant to the information security aspects of business continuity management, as it is related to the general provision of resources for the ISMS, not the specific processes, procedures and controls to ensure the continuity of information security during a disruptive situation. Clause 7.1 is about determining and providing the resources needed for the establishment, implementation, maintenance and continual improvement of the ISMS, not the resources needed for the staff working from home.

References:

• ISO/IEC 27001:2022, clauses 6.1, 7.1, and Annex A control A.5.29
• [PECB Candidate Handbook ISO/IEC 27001 Lead Auditor], pages 14-15, 17, 22-23
• ISO 27001:2022 Annex A Control 5.29 - What’s New?
• ISO 22301 Business Continuity Management System

According to the PECB Candidate Handbook for ISO/IEC 27001 Lead Auditor, the audit team leader should obtain information about the additional sites to inform the individual(s) managing the audit programme, as this may affect the audit objectives, scope, criteria, duration, resources, and risks. The audit team leader should also review the audit plan and make any necessary adjustments in consultation with the auditee and the audit client1. References: 1: PECB Candidate Handbook for ISO/IEC 27001 Lead Auditor, page 27, section 4.3.2.2.

The purpose of a follow-up audit is to verify the completion and effectiveness of corrective actions taken by the auditee in response to the nonconformities identified in a previous audit1. A follow-up audit is a type of audit that is conducted after an initial audit, and it focuses on the specific areas where nonconformities were found and corrective actions were agreed upon2. A follow-up audit can be conducted as a separate audit or as part of a scheduled audit, depending on the nature and severity of the nonconformities and the audit programme objectives3.

The other options are not the purpose of a follow-up audit, but rather the purpose of other types of audits. For example:

•Option A is the purpose of a performance audit, which is a type of audit that evaluates the effectiveness of the management system in achieving its intended results4.

•Option B is the purpose of a compliance audit, which is a type of audit that verifies the conformity of the management system with the specified requirements, such as the ISMS objectives5.

•Option C is the purpose of a process audit, which is a type of audit that examines the inputs, activities, outputs, and interactions of a specific process within the management system, such as the risk treatment process.

References: 1: ISO 19011:2018, 6.7; 2: ISO 19011:2018, 3.7; 3: ISO 19011:2018, 5.5.2; 4: ISO 19011:2018, 3.6; 5: ISO 19011:2018, 3.5; : ISO 19011:2018, 3.4; : ISO 19011:2018; : ISO 19011:2018; : ISO 19011:2018; : ISO 19011:2018; : ISO 19011:2018; : [ISO 19011:2018]

The two true statements are B and E. According to ISO 19011:2022, the audit plan describes the arrangements for a set of one or more audits planned for a specific time frame and directed towards a specific purpose1, while the audit programme describes the activities and arrangements for an audit2. The other options are either false or irrelevant. The responsibility for managing the audit programme rests with the audit programme manager, not the audit team leader (A)3. The audit plan can be changed during the conducting of the audit if necessary, with the agreement of the audit client and the auditee ©4. The audit programme and the audit plan are not the same thing, so D and F are incorrect. References: 1: ISO 19011:2022, Guidelines for auditing management systems, Clause 3.8 \n2: ISO 19011:2022, Guidelines for auditing management systems, Clause 3.9 \n3: ISO 19011:2022, Guidelines for auditing management systems, Clause 5.3.1 \n4: ISO 19011:2022, Guidelines for auditing management systems, Clause 6.4.2

• A. Advise the Shipping Manager that his request will be included in the audit report. This is true because the audit report should document all the relevant information and evidence related to the audit, including any requests or objections raised by the auditee. The audit report should also provide the rationale for the audit conclusions and recommendations12.
• B. Advise management that the new information provided will be discussed when the auditors have more time. This is true because the auditors should not make hasty decisions based on incomplete or unverified information. The auditors should review and evaluate the new information in a systematic and objective manner, and determine whether it affects the audit findings, nonconformities, or conclusions12.
• F. Thank the Shipping Manager for his honesty but advise that withdrawing the nonconformity is not the right way to proceed. This is true because the auditors should acknowledge and appreciate the cooperation and transparency of the auditee, but also maintain their professional integrity and independence. The auditors should not withdraw a nonconformity unless they are satisfied that it was raised in error or that it has been effectively corrected and verified12.

References :=

• ISO 19011:2022 Guidelines for auditing management systems
• ISO/IEC 17021-1:2022 Conformity assessment — Requirements for bodies providing audit and certification of management systems — Part 1: Requirements

According to the PECB Candidate Handbook for ISO/IEC 27001 Lead Auditor, audit methods can be classified into two categories: with or without interaction with individuals representing the auditee (page 12). Audit methods with interaction include reviewing checklists with auditee and conducting interviews, as they involve direct communication and feedback from the auditee. Audit methods without interaction include sampling (e.g. products), observing work performed via live video streaming, checking legal compliance with local authorities, and analysing documents provided in advance of the audit, as they do not require any dialogue or exchange with the auditee. References: PECB Candidate Handbook for ISO/IEC 27001 Lead Auditor, page 12.

In the Act phase of the PDCA cycle, the process is reviewed and evaluated based on the results from the Check phase. The actions taken in this phase aim to continually improve the process performance by addressing the root causes of problems, implementing corrective and preventive actions, and updating the process documentation1. References: ISO/IEC 27001:2022 Lead Auditor (Information Security Management Systems) | CQI | IRCA

The only option that is not prohibited in acceptable use of information assets is C: company-wide e-mails with supervisor/TL permission. This option implies that the sender has obtained the necessary authorization from their supervisor or team leader to send an e-mail to all employees in the organization. This could be done for legitimate business purposes, such as announcing important news, events or updates that are relevant to everyone. However, this option should still be used sparingly and responsibly, as it could cause unnecessary disruption or annoyance to the recipients if abused or misused. The other options are prohibited in acceptable use of information assets, as they could violate the information security policies and procedures of the organization, as well as waste resources and bandwidth. Electronic chain letters (A) are messages that urge recipients to forward them to multiple other people, often with false or misleading claims or promises. They are considered spam and could contain malicious links or attachments that could compromise information security. E-mail copies to non-essential readers (B) are messages that are sent to recipients who do not need to receive them or have no interest in them. They are considered unnecessary and could clutter the inbox and distract the recipients from more important messages. Messages with very large attachments or to a large number of recipients (D) are messages that consume a lot of network resources and could affect the performance or availability of the information systems. They could also exceed the storage capacity or quota limits of the recipients’ mailboxes and cause problems for them. ISO/IEC 27001:2022 requires the organization to implement rules for acceptable use of assets (see clause A.8.1.3). References: CQI & IRCA Certified ISO/IEC 27001:2022 Lead Auditor Training Course, ISO/IEC 27001:2022 Information technology — Security techniques — Information security management systems — Requirements, What is Acceptable Use?

Vehicular incidents are not a type of information security attack. A vehicular incident is an event that involves a vehicle or its driver causing damage or injury to people or property. A vehicular incident may have an impact on information security if it affects the availability or integrity of information or systems that are transported or accessed by vehicles, but it is not an intentional or malicious attack on information security. Legal incidents are a type of information security attack that involve legal actions or disputes that may compromise the confidentiality or integrity of information or systems. Technical vulnerabilities are a type of information security attack that exploit weaknesses or flaws in software or hardware that may compromise the confidentiality, integrity, or availability of information or systems. Privacy incidents are a type of information security attack that involve unauthorized access or disclosure of personal or sensitive information that may compromise the confidentiality or integrity of information or systems. References: : CQI & IRCA ISO 27001:2022 Lead Auditor Course Handbook, page 25. : [ISO/IEC 27001 LEAD AUDITOR - PECB], page 13.

A third-party audit is an independent assessment of an organisation’s management system by an external auditor, who is not affiliated with the organisation or its customers. The auditor verifies that the management system meets the requirements of a specific standard, such as ISO 27001, and evaluates its effectiveness and performance. The auditor also identifies any strengths, weaknesses, opportunities, or risks of the management system, and provides recommendations for improvement. The purpose of a third-party audit is to provide an objective and impartial evaluation of the organisation’s management system, and to inform a certification decision by a certification body. A certification body is an organisation that grants a certificate of conformity to the organisation, after reviewing the audit report and evidence, and confirming that the management system meets the certification criteria. A certification decision is the outcome of the certification process, which can be positive (granting, maintaining, renewing, or expanding the scope of certification) or negative (suspending, withdrawing, or reducing the scope of certification). References:

• PECB Candidate Handbook ISO 27001 Lead Auditor, pages 19-25
• ISO 19011:2018 - Guidelines for auditing management systems
• The ISO 27001 audit process | ISMS.online

Yes, Jack should communicate such situations to the certification body. It is essential for auditors to report potential nonconformities and ethical breaches to the certification body to maintain the integrity and credibility of the audit process, without necessarily informing top management of these steps.

References: ISO 19011:2018, Guidelines for auditing management systems

The main purpose of a Stage 2 third-party audit is to evaluate the implementation and effectiveness of the organisation’s management system and to identify any nonconformances against the requirements of the standard12. The other options are either the objectives of a Stage 1 audit (A, D) or a specific aspect of the audit scope (B). References: 1: ISO/IEC 27006:2022, Information technology — Security techniques — Requirements for bodies providing audit and certification of information security management systems, Clause 9.2 \n2: PECB Certified ISO/IEC 27001 Lead Auditor Exam Preparation Guide, Domain 4: Preparing an ISO/IEC 27001 audit

The benefits of implementing an ISMS are not limited to a reduction in information security risks, but also include improved business performance, customer satisfaction, legal compliance, and stakeholder confidence. The benefit of certifying an ISMS is not only to obtain contracts from governmental institutions, but also to demonstrate the organisation’s commitment to information security to other potential customers, partners, and regulators. The purpose of an ISMS is to apply a risk management process for preserving information security, which means identifying, analysing, evaluating, treating, monitoring, and reviewing the information security risks that the organisation faces. The purpose of an ISMS is not to demonstrate compliance with regulatory requirements, but rather to ensure that the organisation meets its own information security objectives and obligations.

References:

• ISO/IEC 27001:2022 Lead Auditor (Information Security Management Systems) objectives and content from Quality.org and PECB
• ISO/IEC 27001:2013 Information technology — Security techniques — Information security management systems — Requirements [Section 0.1] and [Section 1]

Based on the understanding of follow-up audits, especially in the context of Information Security Management Systems (ISMS) and the guidelines provided by ISO 19011:2018, here are the four questions from your list that the auditor in training has answered correctly:

B. Q: Should follow-up audits seek to ensure nonconformities have been effectively addressed? A: YES This is correct. The primary purpose of follow-up audits is to verify that nonconformities identified in previous audits have been effectively addressed and the corrective actions taken are suitable and effective.

D. Q: Is the purpose of a follow-up audit to verify the completion of corrections, corrective actions, and opportunities for improvement? A: YES Yes, the follow-up audit aims to verify the completion and effectiveness of corrections and corrective actions. It may also consider the implementation of opportunities for improvement identified during the initial audit.

E. Q: Are follow-up audits required for all audits? A: NO This is correct. Follow-up audits are not automatically required for all audits. They are typically conducted when nonconformities or other significant issues were identified in an earlier audit and there's a need to verify the implementation and effectiveness of the corrective actions.

H. Q: Could an outcome from a follow-up audit be another follow-up audit if required? A: YES Yes, this is a possible outcome. If the follow-up audit finds that the corrective actions have not been fully effective, or if new issues are identified, it may be necessary to conduct another follow-up audit.

The other responses provided by the auditor in training require some clarification or correction. For instance, while a follow-up audit primarily focuses on previously identified nonconformities and corrective actions, it can still identify new nonconformities if observed (A). Opportunities for improvement are generally considered in the scope of regular audits more so than in follow-up audits, which are more narrowly focused on corrective actions (C). Also, the outcomes of follow-up audits should typically be reported to both the audit team leader and the audit client (F and G), ensuring transparency and accountability.

 The four questions that the auditor in training has answered correctly are B, D, E, and H. These questions and answers are consistent with the definition and purpose of a follow-up audit as specified in ISO 19011:2018, Clause 6.712. A follow-up audit is conducted to verify the completion and effectiveness of corrective actions taken as a result of a previous audit (B, D). Follow-up audits are not mandatory for all audits, but they may be required by the audit program, the audit client, or other interested parties (E). The outcome of a follow-up audit may be another follow-up audit if the corrective actions are not satisfactory or not completed within the agreed time frame (H). The other questions and answers are either incorrect or irrelevant. A follow-up audit should not seek to identify new nonconformities, as this is not its objective (A). Follow-up audits should consider agreed opportunities for improvement as well as corrective actions, as they are both outputs of a previous audit ©. The outcome of a follow-up audit should be reported to the audit client, as well as to other relevant parties, such as the audit team leader who carried out the previous audit (F, G). References: 1: ISO 19011:2018, Guidelines for auditing management systems, Clause 6.7 \n2: PECB Certified ISO/IEC 27001 Lead Auditor Exam Preparation Guide, Domain 6: Closing an ISO/IEC 27001 audit

This situation is unacceptable because UpNet should have requested and been granted an extension audit prior to announcing that the ISMS certification scope encompasses the whole company, including the new department. Proper procedures need to be followed to extend the certification to additional departments or processes.

Yes, it is acceptable for the internal auditor to follow-up on the implementation of corrective actions until verified by the external auditor during the next surveillance audit. This practice supports continuous improvement and ensures that corrective actions are effectively implemented and maintained over time.

References: PECB ISO/IEC 27001 Lead Auditor Course Material; ISO/IEC 27001:2013, Clause 9.2 (Internal audit)

The non-conformity you have identified relates to the organization's failure to implement adequate operational controls to ensure that service and regulatory requirements for data protection are met. This situation is particularly critical given the nature of the items being shipped, which include sensitive medical information and government documents. The fact that 15% of returned parcels have labels for different addresses, potentially exposing sensitive information to incorrect recipients, underscores the lack of effective information security practices.

The best description of the non-conformity, based on the details provided and the requirements of ISO/IEC 27001:2022, particularly clause 8.1 which deals with operational planning and control, would be:

C. The organisation does not have an effective process in place that ensures service requirements and regulatory requirements for data protection are met. Records show that 15% of returned parcels have disclosed information intended for another party to the recipient (which may include sensitive medical information or government department communications) without adequate operational controls to meet information security requirements.

This option accurately captures the essence of the non-conformity by highlighting the lack of effective operational controls to protect sensitive information, leading to potential unauthorized disclosure of information intended for another party. This is a direct violation of information security management principles, particularly those related to the protection of confidentiality and integrity of information as mandated by ISO/IEC 27001:2022.

 Information or data that are classified as public do not require labeling. Public information or data are those that are intended for general disclosure and have no impact on the organization’s operations or reputation if disclosed. Labeling is a method of implementing classification, which is a process of structuring information according to its sensitivity and value for the organization. Labeling helps to identify the level of protection and handling required for each type of information. Information or data that are classified as internal, confidential, or highly confidential require labeling, as they contain information that is not suitable for public disclosure and may cause harm or loss to the organization if disclosed. References: : CQI & IRCA ISO 27001:2022 Lead Auditor Course Handbook, page 34. : CQI & IRCA ISO 27001:2022 Lead Auditor Course Handbook, page 37. : [ISO/IEC 27001 LEAD AUDITOR - PECB], page 14.

The four controls from the list that are related to PHYSICAL aspects of the ISMS are:

•Access to and from the loading bay

•How power and data cables enter the building

•The operation of the site CCTV and door control systems

•The organisation’s arrangements for maintaining equipment

These controls are derived from the ISO 27001 Annex A, which provides a comprehensive list of information security controls that can be applied to an ISMS1. The other controls in the list are more related to ORGANIZATIONAL, LEGAL, or HUMAN aspects of the ISMS, which are also important, but not the focus of this question.

According to the ISMS Auditing Guideline2, the auditor in training should review the PHYSICAL controls by:

•Checking the SoA to identify the applicable controls and their implementation status

•Interviewing the relevant staff and management to verify their understanding and involvement in the controls

•Observing the physical and environmental conditions to confirm the existence and effectiveness of the controls

•Examining the relevant documents and records to validate the compliance and performance of the controls

I hope this helps you prepare for the exam. ????

References: 1: What Are ISO 27001 Controls? A Guide to Annex A | Secureframe; 2: ISMS Auditing Guideline - ISO27000

According to ISO/IEC 27001:2022, which specifies the requirements for establishing, implementing, maintaining and continually improving an information security management system (ISMS), control A.5.29 requires an organization to establish and maintain a business continuity management process to ensure the continued availability of information and information systems at the required level following disruptive incidents1. The organization should identify and prioritize critical information assets and processes, assess the risks and impacts of disruptive incidents, develop and implement business continuity plans (BCPs), test and review the BCPs, and ensure that relevant parties are aware of their roles and responsibilities1. Therefore, when verifying the information security of the business continuity management process, an ISMS auditor should verify that these aspects are met in accordance with the audit criteria.

Three options that will be in the audit trail for verifying control A.5.29 are:

• Collect more evidence on how the organisation manages information security on mobile devices and during teleworking (Relevant to control A.6.7): This option is relevant because it can provide evidence of how the organization has implemented appropriate controls to protect the confidentiality, integrity and availability of information and information systems when staff work from home using mobile devices, such as laptops, tablets or smartphones. This is related to control A.6.7, which requires an organization to establish a policy and procedures for teleworking and use of mobile devices1.
• Collect more evidence on how and when the Business Continuity Plan has been tested (Relevant to control A.5.29): This option is relevant because it can provide evidence of how the organization has tested and reviewed the BCPs to ensure their effectiveness and suitability for different scenarios, such as a pandemic. This is related to control A.5.29, which requires an organization to test and review the BCPs at planned intervals or when significant changes occur1.
• Collect more evidence on how the organisation makes sure only staff with a negative test result can enter the organisation (Relevant to control A.7.2): This option is relevant because it can provide evidence of how the organization has implemented appropriate controls to prevent or reduce the risk of infection or transmission of diseases among staff or residents, such as requiring regular staff self-testing and using a health status app. This is related to control A.7.2, which requires an organization to ensure that all employees and contractors are aware of information security threats and concerns, their responsibilities and liabilities, and are equipped to support organizational policies and procedures in this respect1.

The other options are not relevant to verifying control A.5.29, as they are not related to the control or its requirements. For example:

• Collect more evidence by interviewing more staff about their feeling about working from home (Relevant to clause 4.2): This option is not relevant because it does not provide evidence of how the organization has established and maintained a business continuity management process or ensured the continued availability of information and information systems following disruptive incidents. It may be related to clause 4.2, which requires an organization to understand the needs and expectations of interested parties, but not specifically to control A.5.29.
• Collect more evidence on what resources the organisation provides to support the staff working from home (Relevant to clause 7.1): This option is not relevant because it does not provide evidence of how the organization has established and maintained a business continuity management process or ensured the continued availability of information and information systems following disruptive incidents. It may be related to clause 7.1, which requires an organization to determine and provide the resources needed for its ISMS, but not specifically to control A.5.29.
• Collect more evidence on how the organisation performs a business risk assessment to evaluate how fast the existing residents can be discharged from the nursing home (Relevant to clause 6): This option is not relevant because it does not provide evidence of how the organization has established and maintained a business continuity management process or ensured the continued availability of information and information systems following disruptive incidents. It may be related to clause 6, which requires an organization to plan actions to address risks and opportunities for its ISMS, but not specifically to control A.5.29.

References: ISO/IEC 27001:2022 - Information technology – Security techniques – Information security management systems – Requirements

Auditors have the authority to object or even refuse an audit mandate if they believe that the audit duration proposed by the auditee is not sufficient to thoroughly assess the ISMS. It is crucial for the audit to be comprehensive enough to cover all necessary aspects of the system, ensuring its effectiveness and compliance.

References: ISO 19011:2018, Guidelines for auditing management systems

SendPay's inability to restore their services immediately after the contract termination indicates a lack of a comprehensive business continuity plan that addresses the potential impacts of such terminations. This oversight can result in significant operational disruptions, as observed.

References: ISO/IEC 27001:2013 Standard, Clause A.17 (Information security aspects of business continuity management)

The word that best completes the sentence is “demonstrate”. According to ISO/IEC 27001:2022, Clause 7.5, the organization shall retain documented information as evidence of the performance of the processes and the conformity of the products and services with the requirements1. The purpose of retaining documented information is to demonstrate conformity with the requirements of the management system standard, not to maintain, audit, or certify it. References: 1: ISO/IEC 27001:2022, Information technology — Security techniques — Information security management systems — Requirements, Clause 7.5

The three options for findings that are justified in the scenario are:

•Nonconformity (NC) - The information for the acceptance of residual information security risks should be updated after the risk treatment is implemented. Clause 6.1.3.f

•Nonconformity (NC) - The IT security manager should be aware of and understand his authority and area of responsibility. Clause 7.3

•Nonconformity (NC) - The risk treatment plan No. 123 should be approved by the risk owner, the Facility Manager in this case. Clause 6.1.3.f

According to ISO/IEC 27001:2022, clause 6.1.3.f, the organisation must retain documented information that includes the information for the acceptance of residual information security risks, and the approval of the risk treatment plan by the risk owner1. Therefore, option A and G are justified as nonconformities, because the organisation failed to update the information for the acceptance of residual risks, and the risk treatment plan was approved by the IT security manager, who is not the risk owner.

According to ISO/IEC 27001:2022, clause 7.3, the organisation must ensure that the persons assigned to perform the roles and responsibilities for the ISMS are competent, and are aware of the consequences of not conforming to the ISMS requirements2. Therefore, option E is justified as a nonconformity, because the IT security manager, who is responsible for the information security risk management process, was not aware of his authority and area of responsibility.

The other options are not justified as findings, because they are either irrelevant or incorrect. For example:

•Option B is irrelevant, because it is not related to the information security risk treatment plan No. 123, which is the focus of the audit.

•Option C is incorrect, because it is not an opportunity for improvement, but rather a benefit of the risk treatment plan No. 123, which is already implemented.

•Option D is incorrect, because it is not a nonconformity, but rather a requirement for the organisation to provide the resources needed for the ISMS, which is not the same as the resources needed for the risk treatment plan No. 123.

•Option F is incorrect, because it is not a nonconformity, but rather a requirement for the organisation to provide the resources needed for the continual improvement of the ISMS, which is not the same as the resources needed for the risk treatment plan No. 123.

•Option H is irrelevant, because it is not a finding, but rather a good practice, which is not the objective of the audit.

References: 1: ISO/IEC 27001:2022, 6.1.3.f; 2: ISO/IEC 27001:2022, 7.3; : ISO/IEC 27001:2022; : ISO/IEC 27001:2022

This scenario represents an "audit finding." An audit finding refers to results that indicate a deviation from the expected performance or standards. Discovering that two employees have not received the required training is an audit finding indicating noncompliance with the organization's training requirements.

References: ISO 19011:2018, Guidelines for auditing management systems

Audit evidence should be evaluated against the audit criteria in order to determine audit findings.

• Audit evidence is the information obtained by the auditors during the audit process that is used as a basis for forming an audit opinion or conclusion12. Audit evidence could include records, documents, statements, observations, interviews, or test results12.
• Audit criteria are the set of policies, procedures, standards, regulations, or requirements that are used as a reference against which audit evidence is compared12. Audit criteria could be derived from internal or external sources, such as ISO standards, industry best practices, or legal obligations12.
• Audit findings are the results of a process that evaluates audit evidence and compares it against audit criteria13. Audit findings can show that audit criteria are being met (conformity) or that they are not being met (nonconformity). They can also identify best practices or improvement opportunities13.

References :=

• ISO 19011:2022 Guidelines for auditing management systems
• ISO/IEC 27001:2022 Information technology — Security techniques — Information security management systems — Requirements
• Components of Audit Findings - The Institute of Internal Auditors

The Plan-Do-Check-Act (PDCA) cycle is a four-step method for implementing and improving processes, products, or services. The “plan” phase involves establishing the objectives and processes necessary to deliver the desired results. This may include setting SMART goals, identifying resources, defining roles and responsibilities, conducting risk assessments, and developing plans for training, communication, and monitoring.

References:

• ISO/IEC 27001:2022 Lead Auditor (Information Security Management Systems) objectives and content from Quality.org and PECB
• ISO 19011:2018 Guidelines for auditing management systems [Section 5.3.1]

• Review is the third stage of the Plan-Do-Check-Act (PDCA) cycle, which is a four-step model for implementing and improving an information security management system (ISMS) according to ISO/IEC 27001:202212. Review involves assessing and measuring the performance of the ISMS against the established policies, objectives, and criteria12.
• Assess is the verb that describes the action of reviewing the ISMS. Assess means to evaluate, analyze, or measure something in a systematic and objective manner3. Assessing the ISMS involves collecting and verifying audit evidence, identifying strengths and weaknesses, and determining the degree of conformity or nonconformity12.
• Regular is the adjective that describes the frequency or interval of reviewing the ISMS. Regular means occurring or done at fixed or uniform intervals4. Reviewing the ISMS at regular intervals means conducting internal audits and management reviews periodically, such as annually, quarterly, or monthly, depending on the needs and risks of the organization12.
• Suitability is one of the attributes that describes the quality or outcome of reviewing the ISMS. Suitability means being appropriate or fitting for a particular purpose, person, or situation5. Reviewing the ISMS for suitability means ensuring that it is aligned with the organization’s strategic direction, business objectives, and information security requirements12.

References :=

• ISO/IEC 27001:2022 Information technology — Security techniques — Information security management systems — Requirements
• ISO/IEC 27003:2022 Information technology — Security techniques — Information security management systems — Guidance
• Assess | Definition of Assess by Merriam-Webster
• Regular | Definition of Regular by Merriam-Webster
• Suitability | Definition of Suitability by Merriam-Webster

• Establishing the audit programme objectives, scope and criteria
• Determining the resources necessary for the audit programme, such as the audit team members, the budget, the time, the tools, etc.
• Selecting and appointing the audit team leaders and auditors
• Reviewing and approving the audit plans and arrangements
• Ensuring the effective communication and coordination among the audit programme stakeholders, such as the auditors, the auditees, the certification bodies, the accreditation bodies, etc.
• Keeping informed the accreditation body on the progress of the audit programme, especially in case of any significant changes, issues, or nonconformities
• Monitoring and reviewing the performance and results of the audit programme and the audit teams
• Evaluating the feedback and satisfaction of the auditees and other interested parties
• Identifying and implementing the opportunities for improvement of the audit programme

The individual(s) managing the audit programme are not responsible for the following tasks, which are delegated to the audit team leaders or the auditors12:

• Communicating with the auditee during the audit, such as conducting the opening and closing meetings, resolving any audit-related problems, reporting any audit findings, etc.
• Determining the legal requirements applicable to each audit, such as the confidentiality, the impartiality, the consent, the liability, etc.
• Defining the objectives, scope and criteria for an individual audit, which are derived from the audit programme and agreed with the auditee
• Defining the plan of an individual audit, which includes the audit schedule, the audit activities, the audit methods, the audit documents, etc.

References:

• ISO 19011:2018 - Guidelines for auditing management systems
• PECB Candidate Handbook ISO 27001 Lead Auditor, pages 19-20

The Statement of Applicability (SoA) is a core document within an ISMS that outlines the security controls an organization implements. When a new control, such as the SSH protocol, is implemented, it should be included in the SoA to reflect the current state of the ISMS. The SoA should be updated to justify the inclusion of the new control and to document how it is implemented within the organization12. References: = This guidance is based on the best practices for maintaining the SoA as per ISO/IEC 27001, which requires the SoA to be a living document that accurately reflects the security controls in use by the organization

Materiality in the context of an audit involves assessing what level of nonconformities or failures, including those related to legal and contractual compliance, would be significant enough to affect the audit conclusions. Costs related to these issues are considered when determining materiality.

References: ISO 19011:2018, Guidelines for auditing management systems

By drafting a procedure for information labeling, EsBank has submitted an action plan to resolve the nonconformity. This step addresses the immediate issue identified during the audit by establishing a consistent approach to labeling information according to its classification.

The audit objectives are the purpose and scope of an audit, as defined by the audit client and the auditor. According to the ISO/IEC 27001 standard, the audit objectives for an ISMS audit may include determining the extent of conformity of the ISMS with the audit criteria, evaluating the ability of the ISMS to ensure the organization meets its information security objectives, and identifying potential areas for improvement of the ISMS12. References: = 1: PECB Candidate Handbook - ISO/IEC 27001 Lead Auditor, page 192: ISO/IEC 27007:2011 Information technology — Security techniques — Guidelines for information security management systems auditing, clause 4.2.1.

Based on the provided scenario, the auditors’ request for documentary evidence regarding the monitoring process of outsourced operations indicates that the auditors demonstrated professional skepticism. This is because professional skepticism involves a critical assessment of audit evidence and includes a questioning mind and a careful evaluation of the information provided by the auditee123.

Professional skepticism is an essential part of the auditing process, especially in the context of ISO/IEC 27001, which requires auditors to systematically examine an organization’s information security risks, including the management of outsourced processes4. The auditors’ request for evidence suggests that they were not satisfied with verbal assurances alone and sought to verify that SendPay had a formal, documented process for monitoring outsourced activities, which is a requirement for maintaining an effective Information Security Management System (ISMS)5.

Therefore, the correct answer is: A. The auditors demonstrated professional skepticism.

The conclusion in the audit report that is not required by the certification body when deciding to grant certification is that the organisation fully complies with all legal and other requirements applicable to the ISMS. This is because the certification body does not have the authority or the responsibility to verify the legal compliance of the organisation, as this is outside the scope of ISO/IEC 27001:2022. The certification body only evaluates the conformity of the organisation’s ISMS with the requirements of the standard, which include the establishment of a process to identify and evaluate the legal and other requirements that are relevant to the ISMS. The organisation is responsible for ensuring its own legal compliance and for providing evidence of such compliance to the certification body if requested. References: = ISO/IEC 27001:2022, clause 6.1.3; ISO/IEC 27006:2022, clause 9.2.2.4; PECB Candidate Handbook ISO 27001 Lead Auditor, page 29.

One possible way to complete the sentence is:

“When reviewing the effectiveness of action taken in response to a nonconformity, an auditor seeks evidence of change that will prevent recurrence of the issue.”

According to ISO/IEC 27001:2022, clause 10.1, the organization shall continually improve the suitability, adequacy, and effectiveness of the ISMS by evaluating the performance and the effectiveness of the ISMS, ensuring that the policy and objectives are aligned with the strategic direction of the organization, and taking actions to achieve the intended outcomes of the ISMS. One of the ways to achieve continual improvement is to identify and correct nonconformities and take actions to eliminate their causes and prevent their recurrence. Therefore, when reviewing the effectiveness of the corrective actions, an auditor should look for evidence that the organization has analyzed the root cause of the nonconformity, implemented appropriate changes to the ISMS, and verified that the changes have resulted in the desired improvement and prevented the recurrence of the issue. References: =

• ISO/IEC 27001:2022, clause 10.1, Nonconformity and corrective action
• ISO/IEC 27001:2022, clause 10.2, Continual improvement
• PECB Candidate Handbook ISO 27001 Lead Auditor, page 19, Audit Process
• PECB Candidate Handbook ISO 27001 Lead Auditor, page 21, Audit Findings

Qualitative evidence in an audit typically involves observations, interviews, and reviews that provide insights into the processes and compliance through subjective but informed assessments. An interview with information security personnel to validate compliance with the standard requirements is an example of qualitative evidence, where the quality and effectiveness of processes are assessed based on expert judgments rather than measurable metrics.

References: PECB ISO/IEC 27001 Lead Auditor Course Material

The major nonconformity related to storing sensitive information in removable media justifies the unfavorable recommendation for certification. This issue directly contradicts the information classification scheme's stipulations, indicating a significant oversight in enforcing the ISMS policies.

It is acceptable and often necessary for auditors to test technical controls such as firewalls to validate the operation and effectiveness of these processes during an ISMS audit. This hands-on testing provides concrete, technical evidence of the security measures' performance.

References: ISO/IEC 27001:2013 Standard, Clause A.13 (Communications security), ISO 19011:2018, Guidelines for auditing management systems

A property of information that has the ability to prove occurrence of a claimed event is integrity. Integrity is one of the three main objectives of information security, along with confidentiality and availability. Integrity ensures that information and systems are not corrupted, modified, or deleted by unauthorized actions or events. Integrity also implies that information and systems can be verified and validated as authentic and accurate. Electronic chain letters are not a property of information, but a type of spam or hoax message that may contain malicious or misleading content. Availability means that service should be accessible at the required time and usable only by the authorized entity. Accessibility is not a property of information, but a characteristic of usability that refers to how easy it is for users to access and interact with information and systems. References: : CQI & IRCA ISO 27001:2022 Lead Auditor Course Handbook, page 24. : [ISO/IEC 27001 Brochures | PECB], page 4. : [ISO/IEC 27001 LEAD AUDITOR - PECB], page 13.

Audit methods are the techniques and procedures that auditors use to collect and evaluate audit evidence. Audit methods can be classified into two categories: those that involve human interaction and those that do not. Human interaction methods are those that require direct or indirect communication with the auditee or other relevant parties, such as interviews, questionnaires, surveys, observations, or walkthroughs. Non-human interaction methods are those that do not require any communication with the auditee or other parties, such as document reviews, data analysis, or remote surveillance.

Some examples of audit methods that do not involve human interaction are:

• Performing a review of auditee’s procedures in preparation for an audit: This method involves examining the auditee’s documented information, such as policies, processes, records, or reports, to verify their adequacy and effectiveness in meeting the audit criteria. The auditor does not need to interact with the auditee or anyone else to perform this method.
• Analysing data by remotely accessing the auditee’s server: This method involves accessing and processing the auditee’s data, such as performance indicators, logs, metrics, or statistics, to verify their accuracy and reliability in meeting the audit criteria. The auditor does not need to interact with the auditee or anyone else to perform this method.

References:

• ISO/IEC 27001:2022 Lead Auditor (Information Security Management Systems) objectives and content from Quality.org and PECB
• ISO 19011:2018 Guidelines for auditing management systems [Section 6.2.2]

By using illegal versions of software, NightCore ignored the control about intellectual property rights under Annex A.8.1.1 of ISO/IEC 27001, which requires the protection of organizational records to include intellectual property and personal information held in the form of data or software.

References: ISO/IEC 27001:2013 Standard, Annex A.8.1.1 (Responsibility for assets)

Yes, the audit team must evaluate the action plan and verify if it is appropriate for correcting the detected nonconformities. This is part of the auditor's responsibilities to ensure that the proposed actions adequately address the issues identified during the audit.

The following four statements are true according to ISO/IEC 27001’s risk management requirements: 12

• The results of risk assessments must be maintained. This is true because clause 8.2.3 of ISO/IEC 27001:2022 requires the organisation to retain documented information of the information security risk assessment process and the results12
• ISO/IEC 27001 provides an outline approach for the management of risk. This is true because clause 6.1.2 of ISO/IEC 27001:2022 specifies the general steps for the information security risk management process, which include establishing the risk criteria, assessing the risks, treating the risks, and monitoring and reviewing the risks12
• The organisation must produce a risk treatment plan for every business risk identified. This is true because clause 6.1.3 of ISO/IEC 27001:2022 requires the organisation to produce a risk treatment plan that defines the actions to be taken to address the unacceptable risks, the responsibilities, the expected dates, and the resources required12
• Risk assessments should be undertaken following significant changes. This is true because clause 8.2.4 of ISO/IEC 27001:2022 requires the organisation to review and update the risk assessment at planned intervals or when significant changes occur12

The following four statements are false according to ISO/IEC 27001’s risk management requirements:

• Risk identification is used to determine the severity of an information security risk. This is false because risk identification is used to identify the assets, threats, vulnerabilities, and existing controls that are relevant to the information security risk management process. The severity of an information security risk is determined by the risk analysis, which evaluates the likelihood and impact of the risk scenarios12
• The organisation must operate a risk treatment process to eliminate its information security risks. This is false because the organisation can choose from four options to treat its information security risks: avoid, transfer, mitigate, or accept. The organisation does not have to eliminate all its information security risks, but only those that are unacceptable according to its risk criteria12
• The initial phase in an organisation’s risk management process should be information security risk assessment. This is false because the initial phase in an organisation’s risk management process should be establishing the risk management framework, which includes defining the risk management policy, objectives, scope, roles, responsibilities, and criteria. The information security risk assessment is the second phase in the risk management process12
• Risks assessments should be undertaken at monthly intervals. This is false because there is no fixed frequency for conducting risk assessments in ISO/IEC 27001. The organisation should determine the appropriate intervals for reviewing and updating the risk assessment based on its risk appetite, risk profile, and operational context12

References:

1: ISO/IEC 27001:2022 Lead Auditor (Information Security Management Systems) Course by CQI and IRCA Certified Training 1 2: ISO/IEC 27001 Lead Auditor Training Course by PECB 2

The use of clear text passwords for authentication in FTP is a vulnerability because it is a weakness that can be exploited by threat actors. Clear text passwords can be intercepted easily by network sniffers or through man-in-the-middle attacks, making them a significant security risk1. References: = This explanation is consistent with the understanding of vulnerabilities within the field of information security, particularly as it relates to network protocols like FTP and their associated risks

This option is appropriate for inclusion in the closing meeting agenda, as it is a requirement of the ISO 19011 standard, which provides guidelines for auditing management systems, including ISMS12. The standard states that the audit team leader should advise the auditee of any situations encountered during the audit that may decrease the confidence that can be placed in the audit conclusions, such as limitations in the audit scope, access, or sampling3. The standard also states that the audit report should include a statement that the audit is based on a sample of the information available at the time of the audit, and that the audit does not provide absolute assurance of the conformity or effectiveness of the audited management system4. Therefore, the audit team leader should include a disclaimer in the closing meeting agenda to inform the auditee of the nature and limitations of the audit, and to avoid any misunderstandings or false expectations. The other options are not appropriate for inclusion in the closing meeting agenda, as they are either irrelevant, incorrect, or incomplete. For example:

•A detailed explanation of the certification body’s complaints process is not relevant for the closing meeting agenda, as it is not related to the audit findings or conclusions. The certification body’s complaints process should be communicated to the auditee before the audit, as part of the audit agreement or contract5.

•An explanation of the audit plan and its purpose is not correct for the closing meeting agenda, as it should have been done at the opening meeting or before the audit. The audit plan is a document that describes the scope, objectives, criteria, and methodology of the audit, as well as the audit schedule, the audit team, the audit locations, and the audit deliverables . The audit plan should be communicated and agreed with the auditee in advance, and any changes or deviations should be notified during the audit.

•Names of auditees associated with nonconformities are not complete for the closing meeting agenda, as they do not provide the details or the evidence of the nonconformities. The audit team leader should present the audit findings, which include the description, the audit criteria, and the audit evidence of each nonconformity, as well as the audit conclusions and the audit recommendation . The audit team leader should also avoid naming or blaming individuals, and focus on the processes and the system.

References: = 1: PECB Candidate Handbook - ISO/IEC 27001 Lead Auditor, page 222: ISO 19011:2018 Guidelines for auditing management systems, clause 13: ISO 19011:2018 Guidelines for auditing management systems, clause 6.4.94: ISO 19011:2018 Guidelines for auditing management systems, clause 7.5.25: ISO/IEC 17021-1:2015 Conformity assessment — Requirements for bodies providing audit and certification of management systems — Part 1: Requirements, clause 9.8. : ISO 19011:2018 Guidelines for auditing management systems, clause 6.4.1. : ISO/IEC 27007:2011 Information technology — Security techniques — Guidelines for information security management systems auditing, clause 6.2.1. : ISO 19011:2018 Guidelines for auditing management systems, clause 6.4.2. : ISO 19011:2018 Guidelines for auditing management systems, clause 6.4.10. : ISO/IEC 27007:2011 Information technology — Security techniques — Guidelines for information security management systems auditing, clause 6.3.3.

One of the advantages of having accredited certification of ISMS to ISO/IEC 27001:2022 is that it demonstrates the recognition of the credibility of the certification process. Accredited certification means that the certification body has been assessed and approved by an accreditation body, which ensures that the certification body operates according to international standards and follows impartiality, competence and consistency principles. Accredited certification also enhances the confidence of the organisation’s customers, partners, regulators and other interested parties in the organisation’s information security performance and compliance. References: = ISO/IEC 27001:2022, clause 0.2; [PECB Candidate Handbook ISO 27001 Lead Auditor], page 6; Key Benefits of ISO 27001 Certification - IT Governance.

The responsibilities described fit those of a "guide." A guide in an audit context is typically someone from the auditee's organization who facilitates audit activities, manages logistics, ensures compliance with health and safety policies, and may also witness the audit process, assisting the audit team.

References: ISO 19011:2018, Guidelines for auditing management systems

The best practice in acceptable use of information assets is A: access to information and communication systems are provided for business purpose only. This means that the organization grants access to its information and communication systems only to authorized users who need to use them for legitimate and approved business activities. The organization does not allow or tolerate any unauthorized, inappropriate or personal use of its information and communication systems, as this could compromise information security, violate policies or laws, or cause damage or harm to the organization or its stakeholders. The other options are not best practices in acceptable use of information assets, as they could violate information security policies and procedures, as well as ethical or legal standards. Interfering with or denying service to any user other than the employee’s host (B) is a malicious act that could disrupt the availability or performance of the information systems or services of another user or organization. Playing any computer games during office hours © is a personal and unprofessional use of the information and communication systems that could distract the employee from their work duties, waste resources and bandwidth, or expose the systems to malware or other risks. Accessing phone or network transmissions, including wireless or wifi transmissions (D) is a potential breach of confidentiality or privacy that could intercept, monitor or modify the information transmitted by another user or organization without their consent or authorization. ISO/IEC 27001:2022 requires the organization to implement rules for acceptable use of assets (see clause A.8.1.3). References: CQI & IRCA Certified ISO/IEC 27001:2022 Lead Auditor Training Course, ISO/IEC 27001:2022 Information technology — Security techniques — Information security management systems — Requirements, What is Acceptable Use?

• A. I will check the other data centres are treated as external providers, even though they are part of the same telecommunication group. This is appropriate because clause 8.1.4 of ISO 27001:2022 requires the organisation to ensure that externally provided processes, products or services that are relevant to the information security management system are controlled. Externally provided processes, products or services are those that are provided by any external party, regardless of the degree of its relationship with the organisation. Therefore, the other data centres within the same telecommunication group should be treated as external providers and subject to the same controls as any other external provider12
• B. I will ensure external providers have a documented process in place to notify the organisation of any risks arising from the use of its products or services. This is appropriate because clause 8.1.4 of ISO 27001:2022 requires the organisation to implement appropriate contractual requirements related to information security with external providers. One of the contractual requirements could be the obligation of the external provider to notify the organisation of any risks arising from the use of its products or services, such as security incidents, vulnerabilities, or changes that could affect the information security of the organisation. The external provider should have a documented process in place to ensure that such notification is timely, accurate, and complete12
• E. I will ensure the organisation is regularly monitoring, reviewing and evaluating external provider performance. This is appropriate because clause 8.1.4 of ISO 27001:2022 requires the organisation to monitor, review and evaluate the performance and effectiveness of the externally provided processes, products or services. The organisation should have a process in place to measure and verify the conformity and suitability of the external provider’s deliverables and activities, and to provide feedback and improvement actions as necessary. The organisation should also maintain records of the monitoring, review and evaluation results12
• F. I will ensure the organisation has determined the need to communicate with external providers regarding the ISMS. This is appropriate because clause 7.4.2 of ISO 27001:2022 requires the organisation to determine the need for internal and external communications relevant to the information security management system, including the communication with external providers. The organisation should define the purpose, content, frequency, methods, and responsibilities for such communication, and ensure that it is consistent with the information security policy and objectives. The organisation should also retain documented information of the communication as evidence of its implementation12

The following activities are not appropriate for the assessment of external providers according to ISO 27001:2022:

• C. I will ensure that the organisation has a reserve external provider for each process it has identified as critical to preservation of the confidentiality, integrity and accessibility of its information. This is not appropriate because ISO 27001:2022 does not require the organisation to have a reserve external provider for each critical process. The organisation may choose to have a contingency plan or a backup solution in case of failure or disruption of the external provider, but this is not a mandatory requirement. The organisation should assess the risks and opportunities associated with the external provider and determine the appropriate treatment options, which may or may not include having a reserve external provider12
• D. I will limit my audit activity to externally provided processes as there is no need to audit externally provided products or services. This is not appropriate because clause 8.1.4 of ISO 27001:2022 requires the organisation to control the externally provided processes, products or services that are relevant to the information security management system. Externally provided products or services may include software, hardware, data, or cloud services that could affect the information security of the organisation. Therefore, the audit activity should cover both externally provided processes and products or services, as applicable12
• G. I will ensure that top management have assigned roles and responsibilities for those providing external ISMS processes as well as internal ISMS processes. This is not appropriate because clause 5.3 of ISO 27001:2022 requires the top management to assign the roles and responsibilities for the information security management system within the organisation, not for the external providers. The external providers are responsible for assigning their own roles and responsibilities for the processes, products or services they provide to the organisation. The organisation should ensure that the external providers have adequate competence and awareness for their roles and responsibilities, and that they are contractually bound to comply with the information security requirements of the organisation12
• H. I will ensure that the organisation ranks its external providers and allocates the majority of its work to those providers who are rated the highest. This is not appropriate because ISO 27001:2022 does not require the organisation to rank its external providers or to allocate its work based on such ranking. The organisation may choose to evaluate and compare the performance and effectiveness of its external providers, but this is not a mandatory requirement. The organisation should select and use its external providers based on the information security criteria and objectives that are relevant to the organisation12

References:

1: ISO/IEC 27001:2022 Lead Auditor (Information Security Management Systems) Course by CQI and IRCA Certified Training 1 2: ISO/IEC 27001 Lead Auditor Training Course by PECB 2

According to the PECB Candidate Handbook for ISO/IEC 27001 Lead Auditor, the audit reports should be produced by the audit team leader with input from the audit team, as they are responsible for collecting and analysing the audit evidence1. The audit reports should also include or refer to the audit plan, as it provides the basis for the audit objectives, scope, criteria, and methodology2. Furthermore, the audit reports should be produced within an agreed timescale, as it is part of the audit programme management and ensures timely communication of the audit results3. Additionally, the audit reports should always be reviewed by the client, dated, and signed as ‘accepted’, as it confirms the audit completion and the formal agreement on the audit findings and conclusions4.

The other statements are false because:

• Audit reports should not be sent to the organisation’s top management first because their contents could be embarrassing, as this would compromise the audit impartiality and confidentiality5. Audit reports should be distributed according to the audit programme procedures and the audit plan.
• Audit reports should not be assumed suitable for general circulation unless they are specifically marked confidential, as this would violate the audit confidentiality and the protection of personal information. Audit reports should be treated as confidential documents and only shared with the authorised parties.
• Audit reports should not only evidence nonconformity, as this would limit the audit scope and value. Audit reports should also evidence conformity, improvement opportunities, good practices, and audit observations.
• Audit reports that are no longer required should not be destroyed as part of the organisation’s general waste, as this would pose a risk to the audit confidentiality and the information security. Audit reports should be retained, disposed, or destroyed according to the audit programme procedures and the applicable legal requirements.

References: 1: PECB Candidate Handbook for ISO/IEC 27001 Lead Auditor, page 32, section 4.4.32: PECB Candidate Handbook for ISO/IEC 27001 Lead Auditor, page 33, section 4.4.43: PECB Candidate Handbook for ISO/IEC 27001 Lead Auditor, page 31, section 4.4.14: PECB Candidate Handbook for ISO/IEC 27001 Lead Auditor, page 34, section 4.4.55: PECB Candidate Handbook for ISO/IEC 27001 Lead Auditor, page 24, section 4.3.1. : PECB Candidate Handbook for ISO/IEC 27001 Lead Auditor, page 33, section 4.4.4. : PECB Candidate Handbook for ISO/IEC 27001 Lead Auditor, page 24, section 4.3.1. : PECB Candidate Handbook for ISO/IEC 27001 Lead Auditor, page 33, section 4.4.4. : PECB Candidate Handbook for ISO/IEC 27001 Lead Auditor, page 32, section 4.4.3. : PECB Candidate Handbook for ISO/IEC 27001 Lead Auditor, page 33, section 4.4.4. : PECB Candidate Handbook for ISO/IEC 27001 Lead Auditor, page 24, section 4.3.1. : PECB Candidate Handbook for ISO/IEC 27001 Lead Auditor, page 34, section 4.4.5.

The PDCA cycle is a four-step method for managing and improving processes. The steps are Plan, Do, Check, and Act. In the Plan phase, the objectives and scope of the process are defined, and the resources and activities are planned. In the Do phase, the process is implemented on a test basis, and the results are recorded and analyzed1. References: ISO/IEC 27001:2022 Lead Auditor (Information Security Management Systems) | CQI | IRCA

The two statements that are valid audit conclusions are:

•The ISMS policy has been effectively communicated to the organisation

•The organisation’s ISMS objectives meet the requirements of ISO/IEC 27001:2022

According to ISO 19011:2018, an audit conclusion is the outcome of an audit, provided by the audit team after considering the audit objectives and all audit findings1. An audit conclusion can be positive or negative, depending on whether the audit criteria are fulfilled or not. An audit conclusion can also include recommendations for improvement or recognition of good practices.

The statements D and E are valid audit conclusions, because they express the outcome of the audit based on the audit criteria and findings. For example:

•Statement D is a positive audit conclusion, because it indicates that the organisation has fulfilled the requirement of clause 5.2.2 of ISO/IEC 27001:2022, which states that the ISMS policy must be communicated within the organisation and to relevant interested parties2. The audit team must have obtained sufficient and appropriate audit evidence to support this conclusion, such as records of communication, awareness activities, feedback, etc.

•Statement E is a positive audit conclusion, because it indicates that the organisation has fulfilled the requirement of clause 6.2 of ISO/IEC 27001:2022, which states that the organisation must establish ISMS objectives that are consistent with the ISMS policy and relevant to the information security risks3. The audit team must have obtained sufficient and appropriate audit evidence to support this conclusion, such as records of objective setting, risk assessment, alignment with policy, etc.

The other statements are not valid audit conclusions, because they do not express the outcome of the audit based on the audit criteria and findings. They are rather examples of audit findings, which are the results of the evaluation of the collected audit evidence against the audit criteria4. Audit findings can indicate either conformity or nonconformity with the audit criteria, or opportunities for improvement. For example:

•Statement A is a negative audit finding, because it indicates a nonconformity with the requirement of clause 7.2.2 of ISO/IEC 27001:2022, which states that the organisation must provide information security awareness education and training to persons under its control5. The audit team must have identified and documented this nonconformity, and reported it to the auditee.

•Statement B is a negative audit finding, because it indicates a nonconformity with the requirement of clause 6.1.2 of ISO/IEC 27001:2022, which states that the organisation must maintain and review the information security risk assessment at planned intervals or when significant changes occur6. The audit team must have identified and documented this nonconformity, and reported it to the auditee.

•Statement C is a negative audit finding, because it indicates a nonconformity with the requirement of clause 10.1 of ISO/IEC 27001:2022, which states that the organisation must take action to eliminate the causes of nonconformities and prevent recurrence7. The audit team must have identified and documented this nonconformity, and reported it to the auditee.

•Statement F is a negative audit finding, because it indicates a nonconformity with the requirement of clause 6.1.3 of ISO/IEC 27001:2022, which states that the organisation must determine the controls that are necessary to implement the risk treatment plan, and document them in the statement of applicability8. The audit team must have identified and documented this nonconformity, and reported it to the auditee.

References: 1: ISO 19011:2018, 3.15; 2: ISO/IEC 27001:2022, 5.2.2; 3: ISO/IEC 27001:2022, 6.2; 4: ISO 19011:2018, 3.14; 5: ISO/IEC 27001:2022, 7.2.2; 6: ISO/IEC 27001:2022, 6.1.2; 7: ISO/IEC 27001:2022, 10.1; 8: ISO/IEC 27001:2022, 6.1.3; : ISO 19011:2018; : ISO/IEC 27001:2022; : ISO/IEC 27001:2022; : ISO 19011:2018; : ISO/IEC 27001:2022; : ISO/IEC 27001:2022; : ISO/IEC 27001:2022; : ISO/IEC 27001:2022

The four options for the actions you could take are A, C, F, and G. These options are consistent with the guidance and requirements of ISO 19011:2018, Clause 6.712. You could agree with the auditee/audit client how the remaining nonconformity will be cleared, by when, and how its clearance will be verified (A), and document the agreement in the audit report1. You could close the follow-up audit as the organisation has demonstrated it is committed to clearing the nonconformities raised ©, and report the outcome to the audit client and other relevant parties1. You could note the progress made but hold the audit open until all corrective action has been cleared (F), and determine the need for another follow-up audit or other actions1. You could also advise the individual managing the audit programme of any decision taken regarding the outstanding nonconformity (G), as they are responsible for the overall management and coordination of the audit programme3. The other options are either not appropriate or not necessary for the situation. You should not recommend that the outstanding minor nonconformity is dealt with at the next surveillance audit (B), as this may compromise the audit objectives and the audit programme1. You should not recommend suspension of the organisation’s certification as they have failed to implement the agreed corrections and corrective actions within the agreed timescale (D), as this is not within your role or authority as an ISMS auditor4. You should not advise the auditee that you will arrange for the next audit to be an online audit to deal with the outstanding nonconformity (E), as this may not be feasible or effective depending on the nature and complexity of the nonconformity1. You should not conduct an unannounced follow-up audit on-site to review the one outstanding minor nonconformity once it has been cleared (H), as this may not be in accordance with the audit agreement or the audit programme1. References: 1: ISO 19011:2018, Guidelines for auditing management systems, Clause 6.7 \n2: PECB Certified ISO/IEC 27001 Lead Auditor Exam Preparation Guide, Domain 6: Closing an ISO/IEC 27001 audit \n3: ISO 19011:2018, Guidelines for auditing management systems, Clause 5.3 \n4: ISO/IEC 27006:2022, Information technology — Security techniques — Requirements for bodies providing audit and certification of information security management systems, Clause 9.6

According to ISO 27001:2022 clause 4.1, the organisation shall determine external and internal issues that are relevant to its purpose and that affect its ability to achieve the intended outcome(s) of its information security management system (ISMS)12

External issues are factors outside the organisation that it cannot control, but can influence or adapt to. They include political, economic, social, technological, legal, and environmental factors that may affect the organisation’s information security objectives, risks, and opportunities12

Internal issues are factors within the organisation that it can control or change. They include the organisation’s structure, culture, values, policies, objectives, strategies, capabilities, resources, processes, activities, relationships, and performance that may affect the organisation’s information security management system12

Therefore, the following issues are considered ‘internal’ in the context of a management system to ISO 27001:2022:

• Poor levels of staff competence as a result of cuts in training expenditure: This is an internal issue because it relates to the organisation’s capability, resource, and process of developing and maintaining the competence of its personnel involved in the ISMS. The organisation can control or change its training expenditure and its impact on staff competence12
• Poor morale as a result of staff holidays being reduced: This is an internal issue because it relates to the organisation’s culture, value, and relationship with its employees. The organisation can control or change its staff holiday policy and its impact on staff morale12
• Increased absenteeism as a result of poor management: This is an internal issue because it relates to the organisation’s performance, structure, and accountability of its management. The organisation can control or change its management practices and its impact on staff absenteeism12
• A fall in productivity linked to outdated production equipment: This is an internal issue because it relates to the organisation’s capability, resource, and process of ensuring the availability and suitability of its production equipment. The organisation can control or change its equipment maintenance and upgrade and its impact on productivity12

The following issues are considered ‘external’ in the context of a management system to ISO 27001:2022:

• Higher labour costs as a result of an aging population: This is an external issue because it relates to the social and demographic factor that affects the availability and cost of labour in the market. The organisation cannot control or change the aging population, but can influence or adapt to its impact on labour costs12
• A rise in interest rates in response to high inflation: This is an external issue because it relates to the economic and monetary factor that affects the cost and availability of capital in the market. The organisation cannot control or change the interest rates or inflation, but can influence or adapt to its impact on capital costs12
• A reduction in grants as a result of a change in government policy: This is an external issue because it relates to the political and legal factor that affects the availability and conditions of public funding for the organisation. The organisation cannot control or change the government policy, but can influence or adapt to its impact on grants12
• Inability to source raw materials due to government sanctions: This is an external issue because it relates to the political and legal factor that affects the availability and cost of raw materials in the market. The organisation cannot control or change the government sanctions, but can influence or adapt to its impact on raw materials12

References:

1: ISO/IEC 27001:2022 Lead Auditor (Information Security Management Systems) Course by CQI and IRCA Certified Training 1 2: ISO/IEC 27001 Lead Auditor Training Course by PECB 2

Integrity is one of the basic components of information security, along with confidentiality and availability. Integrity means that information is safeguarded from unauthorized or accidental changes that could affect its accuracy and completeness. Integrity ensures that information is reliable and trustworthy3. References: ISO/IEC 27001:2022 Lead Auditor Training Course - BSI

• B. 8.12 Data leakage protection. This is true because the auditee should have implemented measures to prevent unauthorized disclosure of sensitive information, such as personal data, medical records, or official documents, that are contained in the parcels. Data leakage protection could include encryption, authentication, access control, logging, and monitoring of data transfers12.
• D. 6.3 Information security awareness, education, and training. This is true because the auditee should have ensured that all employees and contractors involved in the shipping process are aware of the information security policies and procedures, and have received appropriate training on how to handle and protect the information assets in their custody. Information security awareness, education, and training could include induction programmes, periodic refreshers, awareness campaigns, e-learning modules, and feedback mechanisms13.
• E. 7.10 Storage media. This is true because the auditee should have implemented controls to protect the storage media that contain information assets from unauthorized access, misuse, theft, loss, or damage. Storage media could include paper documents, optical disks, magnetic tapes, flash drives, or hard disks14. Storage media controls could include physical locks, encryption, backup, disposal, or destruction14.
• F. 8.3 Information access restriction. This is true because the auditee should have implemented controls to restrict access to information assets based on the principle of least privilege and the need-to-know basis. Information access restriction could include identification, authentication, authorization, accountability, and auditability of users and systems that access information assets15.
• I. 7.4 Physical security monitoring. This is true because the auditee should have implemented controls to monitor the physical security of the premises where information assets are stored or processed. Physical security monitoring could include CCTV cameras, alarms, sensors, guards, or patrols16. Physical security monitoring could help detect and deter unauthorized physical access or intrusion attempts16.
• J. 5.13 Labelling of information. This is true because the auditee should have implemented controls to label information assets according to their classification level and handling instructions. Labelling of information could include markings, tags, stamps, stickers, or barcodes1 . Labelling of information could help identify and protect information assets from unauthorized disclosure or misuse1 .

References :=

• ISO/IEC 27002:2022 Information technology — Security techniques — Code of practice for information security controls
• ISO/IEC 27001:2022 Information technology — Security techniques — Information security management systems — Requirements
• ISO/IEC 27003:2022 Information technology — Security techniques — Information security management systems — Guidance
• ISO/IEC 27004:2022 Information technology — Security techniques — Information security management systems — Monitoring measurement analysis and evaluation
• ISO/IEC 27005:2022 Information technology — Security techniques — Information security risk management
• ISO/IEC 27006:2022 Information technology — Security techniques — Requirements for bodies providing audit and certification of information security management systems
• [ISO/IEC 27007:2022 Information technology — Security techniques — Guidelines for information security management systems auditing]

The two phrases that would apply to ‘check’ in the Plan-Do-Check-Act cycle for a business process are:

• C. Verifying training
• F. Auditing processes

• C. This phrase applies to ‘check’ in the PDCA cycle because it involves measuring and evaluating the effectiveness of the training activities that were implemented in the ‘do’ phase. Training is an important aspect of information security awareness, education, and competence, which are required by clause 7.2 of ISO 27001:20221. Verifying training can help the organisation to assess whether the staff have acquired the necessary knowledge, skills, and behaviour to perform their roles and responsibilities in relation to information security. Verifying training can also help the organisation to identify any gaps or weaknesses in the training program and to plan for improvement actions.
• F. This phrase applies to ‘check’ in the PDCA cycle because it involves examining and reviewing the performance and conformity of the processes that were implemented in the ‘do’ phase. Auditing is a systematic, independent, and documented process for obtaining objective evidence and evaluating it to determine the extent to which the audit criteria are fulfilled2. Auditing processes can help the organisation to verify whether the information security objectives and requirements are met, whether the information security controls are effective and efficient, and whether the information security risks are adequately managed. Auditing processes can also help the organisation to identify any nonconformities or opportunities for improvement and to plan for corrective or preventive actions.

References:

1: ISO/IEC 27001:2022 - Information technology — Security techniques — Information security management systems — Requirements, clause 7.2 2: ISO 19011:2018 - Guidelines for auditing management systems, clause 3.2

The two standards that are used as ISMS third-party certification audit criteria are ISO/IEC 27001 and relevant legal, statutory, and regulatory requirements. ISO/IEC 27001 specifies the requirements for establishing, implementing, maintaining, and continually improving an information security management system (ISMS)1. Relevant legal, statutory, and regulatory requirements are those that apply to the organization’s information security aspects and objectives2. The other options are either not standards (E) or not directly related to the ISMS certification audit criteria (A, B, C, F). References: 1: ISO/IEC 27001:2022, Information technology — Security techniques — Information security management systems — Requirements, Clause 1 \n2: ISO/IEC 27001:2022, Information technology — Security techniques — Information security management systems — Requirements, Clause 4.2

According to ISO 19011:2018, which provides guidelines for auditing management systems, an audit programme is a set of one or more audits planned for a specific time frame and directed towards a specific purpose1. The individual(s) managing the audit programme are responsible for establishing, implementing and maintaining the audit programme in accordance with the organization’s policies and objectives1. This includes defining the extent of the audit programme based on strategic direction, risks and opportunities; establishing the audit programme by defining its objectives, scope and criteria; determining the resources necessary for the audit programme; selecting competent auditors and assigning them to appropriate audits; defining the objectives, scope and criteria for each individual audit; defining the plan of each individual audit; retaining documented information of the audit results; reviewing and improving the performance of the audit programme1. Therefore, these six actions are part of the responsibilities of the individual(s) managing the audit programme. The other option, communicating with the auditee during the audit, is not a responsibility of the individual(s) managing the audit programme, but rather a responsibility of the audit team leader1. References: ISO 19011:2018 - Guidelines for auditing management systems

The four statements that are true are:

•Major nonconformities may be subject to on-site follow up

•The action taken to address major nonconformities is typically more substantial than the action taken to address minor nonconformities

•Several minor nonconformities can be grouped into a major nonconformity

•Nonconformities may be graded to indicate their significance

According to ISO 19011:2018, a nonconformity is the non-fulfilment of a requirement1. Nonconformities may be graded to indicate their significance, based on the criteria established by the audit programme or the audit client2. The grading of nonconformities may use different terms or levels, such as major, minor, critical, etc., depending on the nature and context of the audit3. However, some common definitions of major and minor nonconformities are:

•A major nonconformity is a nonconformity that affects the ability of the management system to achieve its intended results, or that represents a significant breakdown of the management system4. Major nonconformities may require immediate corrective action and on-site follow up by the auditor to verify their closure5.

•A minor nonconformity is a nonconformity that does not affect the ability of the management system to achieve its intended results, or that represents an isolated lapse of the management system4. Minor nonconformities may require corrective action within a specified time frame and off-site verification by the auditor to confirm their closure5.

The action taken to address nonconformities depends on the severity and impact of the nonconformity, and the risk of recurrence or escalation. Typically, the action taken to address major nonconformities is more substantial than the action taken to address minor nonconformities, as it may involve identifying and eliminating the root cause of the problem, implementing preventive measures, and monitoring the effectiveness of the solution.

Several minor nonconformities can be grouped into a major nonconformity if they are related to the same requirement, process, or area, and if they indicate a systemic failure or a significant risk to the management system. The auditor should use professional judgment and evidence-based approach to decide whether to group or report nonconformities individually.

The other statements are false, based on the guidance of ISO 19011:2018. For example:

•Option B is false, because nonconformities can be graded using different terms or levels, depending on the criteria established by the audit programme or the audit client2. The terms ‘major’ and ‘minor’ are not mandatory or universal, but rather examples of possible grading levels3.

•Option D is false, because very minor nonconformities should not be re-graded as opportunities for improvement, but rather reported as nonconformities, as they still represent a non-fulfilment of a requirement1. An opportunity for improvement is a suggestion for enhancing the performance or effectiveness of the management system, but it is not a nonconformity or a requirement.

•Option F is false, because the grading of nonconformities does not have to be explained to the auditee at the opening meeting, but rather at the closing meeting, where the audit findings and conclusions are presented and discussed. The opening meeting is intended to provide an overview of the audit objectives, scope, criteria, and methods, and to confirm the audit arrangements and logistics.

•Option G is false, because the auditee is not always responsible for determining the criteria for grading nonconformities, but rather the audit programme or the audit client, in consultation with the auditee and other relevant parties2. The auditee is responsible for taking corrective action to address the nonconformities, and for providing evidence of their completion and effectiveness.

References: 1: ISO 19011:2018, 3.13; 2: ISO 19011:2018, 6.6.2; 3: ISO 19011:2018, 6.6.3; 4: ISO Audit Findings :Non-conformance - AUVA Certification1; 5: Annex III: Nonconformity grading - FSSC2; : ISO 27001 Certification – Major vs. Minor Nonconformities - Advisera3; : GUIDANCE FOR ADDRESSING AND CLEARING NONCONFORMITIES - SADCAS4; : ISO 19011:2018, 6.2; : ISO 19011:2018, 3.14; : ISO 19011:2018, 6.7; : ISO 19011:2018, 6.4; : ISO 19011:2018, 6.7.2; : ISO 19011:2018; : ISO 19011:2018; : ISO 19011:2018; : ISO 19011:2018; : ISO 19011:2018; : [ISO 19011:2018]; : [ISO 19011:2018]; : [ISO 19011:2018]; : [ISO 19011:2018]; : [ISO 19011:2018]; : [ISO 19011:2018]; : [ISO 19011:2018]

The purpose of retaining documented information related to the ISMS of an organisation is to the extent necessary, to have confidence that the processes have been carried out as planned. This means that the documented information provides evidence of the conformity and effectiveness of the ISMS, as well as the achievement of the information security objectives and the continual improvement of the ISMS. Documented information also supports the analysis and evaluation of the ISMS performance and the identification of opportunities for improvement. References: = ISO/IEC 27001:2022, clause 7.5.1; PECB Candidate Handbook ISO 27001 Lead Auditor, page 17.

According to the PECB Candidate Handbook1, one of the principles of auditing is confidentiality, which means that auditors should respect the confidentiality of information obtained during the audit and not disclose it to unauthorized parties. The handbook also states that auditors should only report audit results to those who have a legitimate need to know, such as the client, the auditee, and the certification body. Therefore, sharing the findings with other relevant managers in A or B’s other customers would be a breach of confidentiality, as they are not directly involved in the audit process or the information security management system of B. Sharing the findings with B’s Information Security Manager or other relevant managers in B would be appropriate, as they are part of the auditee organization and responsible for the implementation and improvement of the ISMS. Sharing the findings with A’s supplier evaluation team or B’s certification body would also be acceptable, as they have a legitimate need to know the audit results for the purpose of supplier selection or certification, respectively. References: 1: PECB Candidate Handbook - ISO 27001 Lead Auditor, pages 7-8.

Internal audits and external audits are integral components of the certification cycle, ensuring regular monitoring of the management system. Internal audits help organizations prepare for external audits by identifying and addressing potential nonconformities, while external audits validate the compliance of the management system with ISO/IEC 27001 standards.

References: PECB ISO/IEC 27001 Lead Auditor Course Material; ISO/IEC 27001:2013, Clauses 9.2 (Internal audit) and 9.3 (Management review)

Yes, according to ISO/IEC 27001, the company needs to provide evidence of the implementation of procedures regarding the logging of user activities. This requirement is essential to ensure that events are recorded and regularly reviewed, supporting the detection and prevention of security incidents.

References: ISO/IEC 27001:2013, Clause A.12.4 (Logging and monitoring)

The main purpose of a Stage 1 audit is to evaluate the adequacy and effectiveness of the organisation’s ISMS documentation, and to assess whether the organisation is prepared for the Stage 2 audit, where the implementation and operation of the ISMS will be verified. The Stage 1 audit also involves verifying the scope, objectives, and context of the ISMS, as well as identifying any areas of concern or nonconformities that need to be addressed before the Stage 2 audit.

References:

• ISO/IEC 27001:2022 Lead Auditor (Information Security Management Systems) objectives and content from Quality.org and PECB
• ISO/IEC 27006:2015 Information technology — Security techniques — Requirements for bodies providing audit and certification of information security management systems Section 7.3.1

A screenshot of a computer Description automatically generated

• Identifying the source of information (already given)
• Gathering audit evidence: This involves collecting information from various sources such as documents, records, interviews, and observations.
• Sampling the available data: Due to the vast amount of information available, auditors typically use sampling techniques to select representative data for closer scrutiny.
• Verifying objective evidence: This involves checking the accuracy, completeness, and reliability of the collected evidence.
• Evaluating evidence against the audit criteria: Auditors compare the collected evidence to the established criteria (e.g., standards, policies, procedures) to assess compliance and effectiveness.
• Recording audit findings: This involves documenting the results of the evaluation, including observations, conclusions, and recommendations.
• Making audit conclusions: Based on the recorded findings, auditors formulate overall conclusions about the status of the management system.

Therefore, the correct sequence is:

1. Identifying the source of information 2. Gathering audit evidence 3. Sampling the available data 4. Verifying objective evidence 5. Evaluating evidence against the audit criteria 6. Recording audit findings 7. Making audit conclusions

8.1 Information stored on, processed by, or accessible via user endpoint devices shall be protected = Technological control 7.8 Equipment shall be sited securely and protected = Physical control 5.2 Information security roles and responsibilities shall be defined and allocated according to the organisation’s needs = Organisational control 6.7 Security measures shall be implemented when personnel are working remotely to protect information processed, processed, or stored outside the organisation’s premises = People control

Explanation: According to the web search results from my predefined tool, ISO 27001:2022 has restructured and consolidated the Annex A controls into four categories: organisational, people, physical, and technological12. These categories reflect the different aspects and dimensions of information security, and are aligned with the cybersecurity concepts of identify, protect, detect, respond, and recover3. The controls in each category are as follows4:

• Organisational controls: These are controls that relate to the governance, management, and coordination of information security activities within the organisation. They include controls such as information security policies, roles and responsibilities, risk assessment and treatment, performance evaluation, and improvement.
• People controls: These are controls that relate to the behaviour, awareness, and competence of the people involved in information security, both within and outside the organisation. They include controls such as human resource security, training and awareness, access control, incident management, and business continuity.
• Physical controls: These are controls that relate to the protection of physical assets and environments that store, process, or transmit information. They include controls such as physical security, environmental security, equipment security, and media security.
• Technological controls: These are controls that relate to the use of technology to implement, monitor, and maintain information security. They include controls such as cryptography, network security, system security, application security, and threat intelligence.

Based on these categories, the controls listed in the question can be matched as follows:

• 8.1 Information stored on, processed by, or accessible via user endpoint devices shall be protected: This is a technological control, as it involves the use of technology to protect information on devices such as laptops, smartphones, tablets, etc. It may include measures such as encryption, authentication, antivirus, firewall, etc.
• 7.8 Equipment shall be sited securely and protected: This is a physical control, as it involves the protection of physical assets and environments that store, process, or transmit information. It may include measures such as locks, alarms, CCTV, fire suppression, etc.
• 5.2 Information security roles and responsibilities shall be defined and allocated according to the organisation’s needs: This is an organisational control, as it involves the governance, management, and coordination of information security activities within the organisation. It may include measures such as defining the authority and accountability of information security personnel, establishing reporting lines and communication channels, assigning tasks and duties, etc.
• 6.7 Security measures shall be implemented when personnel are working remotely to protect information processed, processed, or stored outside the organisation’s premises: This is a people control, as it involves the behaviour, awareness, and competence of the people involved in information security, both within and outside the organisation. It may include measures such as providing guidance and training on remote working, enforcing policies and procedures, monitoring and auditing remote activities, etc.

References: = 1: A Breakdown of ISO 27001:2022 Annex A Controls - BARR Advisory42: ISO 27001:2022 Annex A Controls - What’s New? | ISMS.Online13: How many controls are there in ISO 27001:2022? - Strike Graph34: ISO/IEC 27001:2022 Information technology — Security techniques — Information security management systems — Requirements, Annex A.

Corrective action is a process of identifying and eliminating the root causes of nonconformities or incidents that have occurred or could potentially occur, in order to prevent their recurrence or occurrence. Corrective action is part of the improvement requirement of ISO 27001 and follows a standard workflow of identification, evaluation, implementation, review and documentation of corrections and corrective actions. References: Procedure for Corrective Action, Nonconformity & Corrective Action For ISO 27001 Requirement 10.1, PECB Candidate Handbook ISO 27001 Lead Auditor (page 12)

The correct options for how the auditor should respond are:

• A. Advise the MSR that an extension of the scope may be incorporated but will have to go through established procedures
• D. Determine whether the Management System covers the processes at the new site and, if so, proceed with the audit

These options are consistent with the ISO/IEC 27006:2015 standard, which states that any changes to the scope of certification should be notified by the client to the certification body, and that the certification body should evaluate and decide on these changes in accordance with its procedures1. The auditor should also verify that the ISMS is implemented and maintained at all sites included in the scope of certification1.

The other options are not appropriate for how the auditor should respond, because:

• B. Advise the MSR that the audit scope has been determined based on their initial application so the audit has to proceed as planned: This option is too rigid and does not allow for any flexibility or adaptation to the client’s situation. The auditor should be open to consider any changes to the scope of certification that may have occurred since the initial application, as long as they are properly notified and evaluated by the certification body.
• C. Suggest that the MSR cancels the audit contract and reapplies for the new situation: This option is too drastic and unnecessary, as it would cause delays and costs for both the client and the certification body. The auditor should not suggest that the client cancels the audit contract, but rather that they follow the established procedures for requesting and approving an extension of the scope of certification.
• E. Advise the MSR that, within the existing scope, the new work area can be included without any problem: This option is too lenient and does not ensure that the new work area meets the requirements of ISO/IEC 27001 and the ISMS. The auditor should not assume that the new work area can be included within the existing scope without any problem, but rather that they need to verify that the ISMS is implemented and maintained at the new site, and that any changes to the scope of certification are approved by the certification body.
• F. Confirm that the auditor will advise the auditee that the audit scope will be revised to include the new work area: This option is too presumptuous and does not respect the authority of the certification body. The auditor should not confirm that they will revise the audit scope to include the new work area, but rather that they will advise the certification body of the client’s request for an extension of the scope of certification, and wait for their decision.

A legal technical expert (LTE) is a person who provides specific knowledge or expertise related to the legal aspects of the information security management system (ISMS) during a certification audit. The LTE is not an auditor, but a member of the audit team who supports the auditors in collecting and evaluating the audit evidence. The LTE is not responsible for evaluating the auditee’s legal knowledge, criticising the organisation’s legal compliance issues, or debating complex legal points with the auditee, as these tasks may be beyond the scope of the audit, or may compromise the objectivity and impartiality of the audit. The LTE is responsible for advising on legal checkpoints for the audit team, such as the applicable legal, regulatory, and contractual requirements, the relevant sources of information, the methods of verification, and the criteria of evaluation. The LTE is also responsible for verifying the legal status of the organisation, such as the registration, licensing, authorisation, or accreditation of the organisation, and the compliance with the relevant laws and regulations. References:

• What is the role of a technical expert in ISO audit?
• Roles, Responsibilities & Authorities for ISO 27001 5.3
• Guide to Become an ISO 27001 Lead Auditor

A document review is a process of examining the documented information related to the management system before the on-site audit activities. The purpose of a document review is to: 12

• Determine the conformity of the management system, as far as documented, with audit criteria, i.e., to check whether the documents are consistent, complete, and compliant with the requirements of ISO/IEC 27001 and any other applicable standards or regulations.
• Gather information to support the on-site audit activities, i.e., to identify the scope, objectives, processes, controls, risks, and opportunities of the management system, and to plan the audit methods, techniques, and resources accordingly.

The other statements are not accurate, because:

• A document review does not reveal or decide about the conformity or nonconformity of the management system as a whole, but only of the documented information. The conformity or nonconformity of the management system is determined by the on-site audit activities, which include interviews, observations, and tests12
• A document review does not gather evidence or findings to support the audit report or process, but information to support the on-site audit activities. The evidence or findings are collected during the on-site audit activities, which are then documented and reported12
• A document review does not detect any nonconformity of the management system, if documented, but determines the conformity of the documented information. The nonconformity of the management system is detected by the on-site audit activities, which evaluate the performance and effectiveness of the management system12
• A document review does not identify information to support the audit plan, but gathers information to support the on-site audit activities. The audit plan is prepared before the document review, based on the audit scope, objectives, criteria, and program. The document review is part of the audit plan implementation12

References:

1: ISO/IEC 27001:2022 Lead Auditor (Information Security Management Systems) Course by CQI and IRCA Certified Training 1 2: ISO/IEC 27001 Lead Auditor Training Course by PECB 2

Sinvestment should correct the identified issue related to the lack of documentation on information security training and awareness before the stage 2 audit. Addressing this gap promptly ensures that the ISMS is fully compliant and effective when assessed in the subsequent audit stage.

References: ISO/IEC 27001:2013, Clause 7.2 (Competence)

The standard definition of ISMS is a systematic approach for establishing, implementing, operating, monitoring, reviewing, maintaining and improving an organization’s information security to achieve business objectives. This definition is given in clause 3.17 of ISO/IEC 27001:2022, and it describes the main components and purpose of an ISMS. An ISMS is not a project-based approach, as it is an ongoing process that requires continual improvement. An ISMS is not a company wide business objective, as it is a management system that supports the organization’s objectives. An ISMS is not an information security systematic approach, as it is a broader concept that encompasses the organization’s context, risks, controls, and performance. References: : CQI & IRCA ISO 27001:2022 Lead Auditor Course Handbook, page 15. : ISO/IEC 27001:2022, clause 3.17.

The use of probability theory in the sample selection process indicates that "statistical sampling" was used. Statistical sampling allows auditors to make inferences about the population based on the properties of the sample, relying on the principles of probability to select representative elements.

References: ISO 19011:2018, Guidelines for auditing management systems

No, the auditor should uphold objectivity even when deciding whether to accept the audit mandate or not. Discussing previous audit reports with a friend who is an internal auditor at the auditee may compromise the external auditor's objectivity and independence.

References: ISO 19011:2018, Guidelines for auditing management systems, which emphasizes the need for auditors to maintain impartiality and confidentiality.